After the horror of PayPal 2FA has finally been resolved, I?ve just discovered one even worse: Twitch.
You would think that being owned by Amazon (who does 2FA properly), they?d have it under control, but apparently not. They only offer some Authy-specific integration which forces you to either use insecure SMS (ugh) or the Authy app (even more ugh).
But fear not, once again under the hood it is mostly standard TOTP, we just have to do the extra work of reverse engineering and removing the proprietary bloat.
Unfortunately there?s no recovery codes or anything so it seems like recovery will still be based on SMS, but at least you can have the freedom to use whatever TOTP client you want.
Extra things required:
- phone number able to receive SMS
- desktop Google Chrome (or Chromium etc.)
Step 1: Enable 2FA in Twitch
This is pretty straightforward. On the desktop website, go to Settings > Security and Privacy > Security > Two-Factor Authentication.
Turn on dark theme while you?re at it.
Click the ?Set up two-factor authentication? button. It?ll take you to a page where you need to enter your phone number. Note that this is actually Twitch selling you out to Authy, who now get your phone number and Twitch email address.
Anyway, Authy will now send you an SMS trying to trick you into installing their app, ignore it for now. A few minutes later you?ll receive another SMS with an actual code, which you can also ignore.
At this point you could enter the SMS code to complete setup and continue using SMS codes without ever touching Authy itself, but we can do better?
Step 2: Sign in to Authy
You need to install the Chrome extension version of Authy. There are desktop Windows/macOS and mobile Android/iOS apps, but this is the one we can most easily poke around in to pull our TOTP settings out of. They don?t support desktop Linux or Firefox at all which is a bit of a joke, so this is definitely the lesser evil.
Once you?ve installed the extension, open it up and it?ll ask you to again enter your phone number. Enter the same one you entered with Twitch earlier and it?ll sign you in to your auto created account. It?ll make you verify the sign in, which is easiest via SMS, which unfortunately means you do need a working phone number unlike the previous steps.
It may prompt you to set a ?Master password? but you don?t actually have to, so ignore it. You may want to change the email address though if you don?t want it to use your Twitch one, and in case you want to recover the account in the future, or so I assume. Just click the misleading close button in the corner of the window to return to the tokens list where you should see Twitch listed.
Step 3: Extract TOTP settings from Authy
Now for the tricky part. Go to Extensions settings in Chrome.
Or type chrome:extensions in the address bar.
Turn on the ?Developer mode? switch in the top right of this page.
Scroll down until you find Authy under Chrome Apps and click Details.
There should be an ?Inspect views? section, click the link which says ?main.html?.
This will open the Dev Tools for the extension, which should open on the Console tab. If not, click the tab to switch to it.
Should look something like this.
Now for the scariest part, copy paste this code into the console:
Code is from here.
This is self-contained and never sends your details to anyone. Hit enter and it should spit out your TOTP settings. You may have to scroll back up slightly.
Good luck, I?m behind 7 proxies.
Step 4: Configure your TOTP client
Unfortunately it still uses slightly non-standard settings, specifically 7 digits and 10 second period instead of the normal 6 and 30, so support might be hit or miss. I guess this is to make people think it?s special and more secure?
You can simply try using the QR code and seeing if it works, or you may have to configure some settings manually. I?ll fill in specific instructions here as they?re reported. Once it?s set up, you can enter a generated code back into Twitch, or simply try logging in again if you entered a code from SMS or Authy earlier.
Once you?ve confirmed it?s working, you can uninstall Authy and disable developer mode in Extensions settings. Enjoy less insecure 2FA!
Google Authenticator
Scanning QR code just works. source
1Password
Scanning QR code or pasting URI just works, depending on platform. source
LastPass
Scanning QR code just works, or can configure manually. source
KeePassXC
Right click the entry > TOTP? > Set up TOTP?, enter the TOTP secret, select custom settings and enter 10 seconds and 7 digits.
Can you guess which annoying 2FA I?ll cover next?